Hi rdw, I've put together example configurations you can try out on your Netvanta and on the shrewsoft VPN client. You haven't provided any details of IP addresses and credentials, so I will assume the following settings which you will need to adapt to your circumstances:

! Map the VPN service to your public facing interface, e.g. eth 0/1, or ppp 1, as appropriate:

! ========================

interface eth 0/1

description WAN

ip address AAA.BB.CCC.DD

ip access-policy Public

ip crypto map VPN !This line enables VPN on this interface

no shutdown

no lldp send-and-receive

!

[snip ...]

! Set up selectors to filter VPN packets:

! ==============================

ip access-list extended VPN-3-selectors

permit ip 10.10.3.0 0.0.0.255 172.16.3.0 0.0.0.255

deny ip any any log

!

[snip ...]

! Set up a policies to allow filtered VPN packets in and out:

! ==============================================

ip policy-class Private

allow list VPN-3-selectors stateless

allow list self self

nat source list wizard-ics interface eth 0/1 overload

!

ip policy-class Public

allow reverse list VPN-3-selectors stateless

!

This is the configuration for the Shrew remote client which in MSWindows PC can be found in:

C:\Users\<user_name>\AppData\Local\ShrewSoftVPN\sites\

would look like this:

n:version:4

n:network-ike-port:500

n:network-mtu-size:1380

n:client-addr-auto:1

n:network-natt-port:4500

n:network-natt-rate:15

n:network-frag-size:540

n:network-dpd-enable:1

n:client-banner-enable:1

n:network-notify-enable:1

n:client-dns-used:1

n:client-dns-auto:1

n:client-dns-suffix-auto:1

n:client-splitdns-used:1

n:client-splitdns-auto:1

n:client-wins-used:0

n:client-wins-auto:1

n:phase1-dhgroup:5

n:phase1-life-secs:7080

n:phase1-life-kbytes:0

n:vendor-chkpt-enable:0

n:phase2-life-secs:3600

n:phase2-life-kbytes:0

n:policy-nailed:0

n:policy-list-auto:0

n:phase1-keylen:256

n:phase2-keylen:256

s:network-host:AAA.BB.CCC.DD #Set the public IP address of 3448 here

s:client-auto-mode:pull

s:client-iface:virtual

s:network-natt-mode:enable

s:network-frag-mode:enable

s:auth-method:mutual-psk-xauth

s:ident-client-type:ufqdn

s:ident-server-type:address

s:ident-client-data:remote@remote_client.com

s:ident-server-data:AAA.BB.CCC.DD #Set the public IP address of 3448 here

b:auth-mutual-psk: #Leave this blank, then add the PSK using the GUI

s:phase1-exchange:aggressive

s:phase1-cipher:aes

s:phase1-hash:sha1

s:phase2-transform:esp-aes

s:phase2-hmac:sha1

s:ipcomp-transform:deflate

n:phase2-pfsgroup:5

s:policy-level:unique

s:policy-list-include:10.10.3.0 / 255.255.255.0

When you try to initiate a connection Shrew will ask you to enter the XAuth username and password, which in the above example is admin_VPN_client and my_secret_admin_VPN_client_passwd respectively. These examples should get your connection going, but if not post back logs of shrewsoft and a debug session of the Netvanta, after you obfuscate public IP addresses and usernames/passwords.

NOTE: Using Aggressive mode to initiate an IKE exchange with PSK authentication is not secure because a hash of the PSK is sent out unencrypted and if the connection is evesdropped can be brute forced offline. So, in critical production environments it is advised to use SSL certificates instead of PSK, or use Main mode, or both.